[OSM-talk] Mailing list security

Tom Hughes tom at compton.nu
Sat Nov 25 17:01:20 UTC 2017


On 25/11/17 16:45, Colin Smale wrote:
> On 2017-11-25 17:31, Tom Hughes wrote:
> 
>> On 25/11/17 15:37, Colin Smale wrote:
>>>
>>>
>>> On 25 November 2017 16:04:45 CET, "Éric Gillet" <gill3t.3ric+osm at gmail.com 
>>> <mailto:gill3t.3ric+osm at gmail.com>> wrote:
>>>> Another point : This password is not secure, but what the worst that
>>>> could
>>>> happen with it ? As long as one don't reuse it on other applications
>>>> (as
>>>> warned during registration), the only action an attacker could do would
>>>> be
>>>> to unsubscribe you. Not really catastrophic
>>> ...until it is hacked and thousands of passwords are stolen. If even one of those leads to something serious, I am not sure that saying "I told you so 10 years ago when you signed up" will be enough to absolve the operators of liability.
>>>
>>> I will open a ticket as suggested.
>>
>> There's really not much point - we will upgrade as and when the 
>> packages in Ubuntu are upgraded. We're not going to be installing from 
>> source.
> In that case I won't bother. I can't help thinking: what a sorry state 
> of affairs.
> When you say "we", who are you referring to exactly Tom?

The system administrators that are responsible for running it.

I would also add that most sites are sticking with mailman 2 for now 
which is likely why the distros haven't upgraded.

The only site I know of that uses mailman 3 is Fedora and from my 
experience of it I would say it's still a bit rough around the edges for 
now.

Everybody knows the whole password thing with mailman 2 is not ideal and 
is basically a major pain but there are no easy solutions to it.

Tom

-- 
Tom Hughes (tom at compton.nu)
http://compton.nu/



More information about the talk mailing list